Unlucky for you: UK crypto-duo 'crack' HTTPS in Lucky 13 attack

OpenSSL patch to protect against TLS decryption boffinry

Two scientists say they have identified a new weakness in TLS, the encryption system used to safeguard online shopping, banking and privacy. The design flaw, revealed today, could be exploited to snoop on passwords and other sensitive information sent by users to HTTPS websites.

Professor Kenny Paterson from the Information Security Group at Royal Holloway, University of London and PhD student Nadhem Alfardan claim they can crack TLS-encrypted traffic in a man-in-the-middle attack.

According to their study, the weakness revolves around altering messages exchanged between the web server and browser, and noting microsecond differences in the time taken to process them.

These timings effectively leak information about the data being transferred, allowing eavesdroppers to rebuild the original unencrypted information slowly piece by piece.

Specifically, an attacker strategically changes the data used to pad out the encrypted blocks of information, and measures the time taken for the server to work out that the message was tampered with before rejecting it. The progress of the algorithms processing the blocks is revealed by this time difference, and it's enough to gradually calculate the contents of the original message.

But it is tricky to precisely measure these timings due to network jitter and other effects. And tampering with the data will cause the connection between the browser and the server to fail. Thus, a bit of client-side malware is needed to repeatedly probe a server with new connections, replaying slightly altered versions of the original encrypted message, which might for example be a login cookie. This is similar to the earlier BEAST (Browser Exploit Against SSL/TLS) attack.

We're told attacks against DTLS - a variant of TLS used by VPNs to secure traffic - can be carried out in a single session.

Speaking to El Reg, Prof Paterson said JavaScript code injected into a web page could implement the new research and decrypt a victim's login cookie in about two hours: "An ordinary cyber-criminal would just use a phishing attack [to get a password] but for a nation state interested in getting an activist's login cookie for Tor, this sort of attack is possible for a determined and well-resourced attacker.

"TLS is not quite as bullet-proof as we thought."

A paper [PDF] titled Lucky Thirteen: Breaking the TLS and DTLS Record Protocols was published on Monday, and states:

The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks like the Internet. It is widely used to secure web traffic and e-commerce transactions on the Internet. Datagram TLS (DTLS) is a variant of TLS that is growing in importance. We have found new attacks against TLS and DTLS that allow a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS connection when CBC-mode encryption is used.

The attacks arise from a flaw in the TLS specification rather than as a bug in specific implementations. We have carried out experiments to demonstrate the feasibility of the attacks against the OpenSSL and GnuTLS implementations of TLS, and we have studied the source code of other implementations to determine whether they are likely to be vulnerable.

Professor Paterson said: "While these attacks do not pose a significant threat to ordinary users in its current form, attacks only get better with time. Given TLS's extremely widespread use, it is crucial to tackle this issue now.

"Luckily we have discovered a number of countermeasures that can be used. We have been working with a number of companies and organisations, including OpenSSL, Google and Oracle, to test their systems against attack and put the appropriate defences in place."

The attacks apply to all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2. All TLS and DTLS cipher-suites that include CBC-mode encryption are potentially vulnerable.

Like CRIME (Compression Ratio Info-leak Made Easy) and the earlier BEAST SSL exploit, both developed by security researchers Juliano Rizzo and Thai Duong, the Royal Holloway academics' Lucky Thirteen study threatens a fundamental e-commerce security protocol. The latest attacks "are quite different from BEAST and CRIME" as the university pair explain in an FAQ:

BEAST exploits the inadvisable use of chained IVs in CBC-mode in SSL and TLS 1.0. CRIME cleverly exploits the use of compression in TLS. Our attacks are based on analysing how decryption processing is carried out in TLS. However, our attacks can be enhanced by combining them with BEAST-style techniques.

The computer-science duo tested their attack against OpenSSL and GnuTLS. For OpenSSL, full plaintext recovery of encrypted data is possible. For GnuTLS, partial recovery is possible. The researchers have not studied any closed-source implementations of TLS. Blocking the attack can be achieved by either adding random time delays to CBC-mode decryption or switching to either the RC4 or AES-GCM cipher-suites.

GnuTLS released a patch on Monday. OpenSSL is working on a fix. Other vendors, including web browser developers, may also need to adapt their software in response to the threat. ®

Bootnote

The researchers have a neat explanation for why the attack they have developed is called Lucky Thirteen:

"In Western culture, 13 is considered an unlucky number. However, for our attack, the fact that the TLS MAC calculation includes 13 bytes of header information (5 bytes of TLS header plus 8 bytes of TLS sequence number) is, in part, what makes the attacks possible. So, in the context of our attacks, 13 is lucky - from the attacker's perspective at least. This is what passes for humour amongst cryptographers."